Patch-ID# 116146-07 NOTE: *********************************************************************** READ THE TERMS OF THE AGREEMENT ("AGREEMENT") IN THE LEGAL_LICENSE.TXT FILE CAREFULLY BEFORE USING THIS SOFTWARE. BY USING THE SOFTWARE, YOU AGREE TO THE TERMS OF THIS AGREEMENT. IF YOU DO NOT AGREE TO ALL OF THE TERMS, PROMPTLY DESTROY THE UNUSED SOFTWARE. *********************************************************************** Keywords: security ping equal unlabeled hardened network sunscreen panic umount Synopsis: Trusted_Solaris_8_HW_12/02: genunix_policy patch Date: Dec/07/2005 Install Requirements: Reboot immediately after patch is installed Solaris Release: Trusted_Solaris_8_HW_12/02 SunOS Release: Trusted_Solaris_8_HW_12/02 Unbundled Product: Unbundled Release: Xref: This patch available for x86 as patch 116147 Topic: Trusted_Solaris_8_HW_12/02: genunix_policy patch Relevant Architectures: sparc BugId's fixed with this patch: 4639031 4894365 4915227 4920718 4931908 4932041 4934078 4938446 4965212 5039306 5044793 6224841 6246386 6332123 Changes incorporated in this version: 6332123 Patches accumulated and obsoleted by this patch: Patches which conflict with this patch: Patches required with this patch: 116142-02 (or greater) Obsoleted by: Files included with this patch: /kernel/tsol_policy/genunix_policy /kernel/tsol_policy/sparcv9/genunix_policy /usr/include/sys/fs_secpolicy.h /usr/include/sys/net_secpolicy.h /usr/include/sys/pathname.h /usr/include/sys/tsol/tnet.h /usr/include/sys/vnode_secpolicy.h Problem Description: 6332123 denial of service attack can hang system in trusted networking (from 116146-06) 6246386 umount fails with EBUSY when called after df (from 116146-05) 6224841 panic in tsol2tnet called from tsol_labelit (from 116146-04) 5044793 Trusted Solaris 8 can deadlock in the network stack (from 116146-03) 4931908 df -k ignores mac 4932041 proc tools produce revealing error messages to unprivileged subjects 4934078 users shouldn't trigger nfs net traffic for file systems they cannot access 4965212 Order of checking in tnrh_credchk complicates priv debugging 5039306 suser binaries should not be included in patches, incl. genunix_policy patches (from 116146-02) 4894365 Request telnet not send - SYN/ACK/Rst downlabel during improper telnet 4915227 problems accessing dominated nfs file systems 4920718 Installation fails with panic on Trusted Solaris 8 HW 12/02 4938446 Expand "tsol_ping_equal_only" to "tsol_unlab_equal_only", add more protocols. (from 116146-01) 4639031 ping on restricted interfaces can ping to higher label & get response Patch Installation Instructions: -------------------------------- For Solaris 2.0-2.6 releases, refer to the Install.info file and/or the README within the patch for instructions on using the generic 'installpatch' and 'backoutpatch' scripts provided with each patch. For Solaris 7-10 releases, refer to the man pages for instructions on using 'patchadd' and 'patchrm' scripts provided with Solaris. Any other special or non-generic installation instructions should be described below as special instructions. The following example installs a patch to a standalone machine: example# patchadd /var/spool/patch/104945-02 The following example removes a patch from a standalone system: example# patchrm 104945-02 For additional examples please see the appropriate man pages. Special Install Instructions: ----------------------------- NOTE 1: Reboot the system after all the patches are installed in order for the fixes to take affect. To install, follow these instructions. The steps below assume the patch has been put into an ADMIN_LOW directory in /var/tmp and the patch file label is configured to ADMIN_LOW. Create a role which contains the Software Installation profile (typically admin role is assigned this profile) and whose label range includes the ADMIN_LOW label. All the steps in the patch installation should be executed at ADMIN_LOW. The patch should be owned by this role. 1) Login as a user authorized to assume a role that contains the Software Installation profile; typically the admin role. Assume that role. To verify the profile is assigned to the role, type: "profiles -l | grep patchadd". The result should be: /usr/sbin/patchadd uid=0, privs=all, label=admin_low 2) cd into /var/tmp and install the patch file. # cd /var/tmp # patchadd /var/tmp/ where is the patch number. NOTE 2: The tsol_ping_equal_only ndd switch in patches 116142-01 and 116144-01 has been renamed to tsol_unlab_equal_only. NOTE 3: To get complete hardening feature for bugids 4639031 and 4938446, please also install the following patches: 116142-02 (or greater) ip patch 116144-02 (or greater) inetinit patch NOTE 4: To activate the complete hardening feature for bugids 4639031 and 4938446, you will need to edit /etc/init.d/inetinit after installing the inetinit patch and uncomment the following line, as documented within inetinit: #/usr/sbin/ndd -set /dev/ip tsol_unlab_equal_only 1 This can be done just before reboot, after installing the above patches. NOTE 5: It is recommended to save a copy of the /etc/init.d/inetinit file before removing 116144-01 (or greater). The installation of this patch will not preserve any user modifications made to the /etc/init.d/inetinit file after the patch is installed. A copy of the /etc/init.d/inetinit file is preserved before the patch installation is complete. The user should be aware after the patch is removed, the pre-patch version of /etc/init.d/inetinit file will not be restored to the system. NOTE 6: To get the complete hardening feature for bugs 4894365 and 4915227, please also install the following patches: 116142-02 (or greater) ip patch 116144-02 (or greater) inetinit patch 116405-01 (or greater) tcp patch NOTE 7: To activate the complete hardening feature for bugid 4894365: After installing 116144-02 (or greater), update /etc/init.d/inetinit by removing the pound sign (#) from the ndd entry: #/usr/sbin/ndd -set /dev/tcp tcp_strict_syn_policy 1 This file may be updated after all these patches have been installed: 116142-02 (or greater) ip patch 116144-02 (or greater) inetinit patch 116405-01 (or greater) tcp patch NOTE 8: The "tsol_unlab_equal_only" switch, if set to 1 (default is 0) will disable some network communications that some sites depend upon. Enable it only if desired per site policy. NOTE 9: To get the complete fix for bugid 4920718 (Installation fails with panic on Trusted Solaris 8 HW 12/02), please also install the following patch: 116403-01 (or greater) device_policy patch NOTE 10: To get the complete fix for bugid 5044793 (Trusted Solaris 8 can deadlock in the network stack), please also install the following patch: 116142-03 (or greater) ip patch NOTE 11: In order to get the full fix for bugid 6246386 (umount fails with EBUSY when called after df), please also install the following patch: 116614-03 (or greater) genunix and unix patch Special Backout Instructions: ----------------------------- NOTE 1: Reboot the system after all the patches are removed. 1) Login as a user authorized to assume a role that contains the Software Installation profile; typically the admin role. Assume that role. To verify the profile is assigned to the role, type: "profiles -l | grep patchrm". The result should be: /usr/sbin/patchrm uid=0, privs=all, label=admin_low 2) Backout patch by typing: # patchrm where is the patch number. README -- Last modified date: Wednesday, December 7, 2005